I am currently running Keycloak version 25.0.0 in production, configured with an NGINX reverse proxy. My goal is to use Keycloak with the host https:// somehost. com
for public access while restricting access to the admin console to my internal network using its IP and port directly.
Here are my current Keycloak hostname v2 configurations:
KC_HOSTNAME=https://abc.com # Public hostname for the web app
KC_HOSTNAME_PORT=8080 # Port where Keycloak is running
KC_HOSTNAME_ADMIN=http://localhost:8080/auth # URL to access the admin console internally
KC_HTTP_ENABLED=true
Problem:
When running Keycloak with the above configuration, I am unable to access the admin console. Specifically, the requests for some resources required to render the admin UI are being sent to the frontend host (i.e., KC_HOSTNAME
) instead of KC_HOSTNAME_ADMIN
.
For example:
- Initial request and JavaScript and CSS resources are correctly routed to
KC_HOSTNAME_ADMIN
. Ex - “auth/admin/master/console/”, “auth/resources/zre7y/admin/keycloak.v2/assets/index-C1LIsRX7.js” - However, some resources (e.g., html) are incorrectly routed to
KC_HOSTNAME
. Ex “resources/master/admin/en”,
“realms/master/protocol/openid-connect/3p-cookies/step1.html”
Additional Note:
The /auth
path in the URL is intentional; I recently migrated from version 10 to version 25, and due to legacy reasons, I retained /auth
as a relative path.
Assistance Needed:
Has anyone encountered a similar issue or can provide guidance on how to ensure all admin console resources are correctly routed to KC_HOSTNAME_ADMIN
?
I am happy to share Docker files or other configuration details if someone wants to replicate the issue on their machine.